Compare commits
2 Commits
72f6073e47
...
052c690509
| Author | SHA1 | Date |
|---|---|---|
 wpetit
|
052c690509 | |
|
wpetit
|
e8e484a7ff |
|
|
@ -11,8 +11,10 @@ var (
|
|||
createKeyCmd = false
|
||||
getPublicKeyCmd = false
|
||||
createTokenCmd = false
|
||||
verifyTokenCmd = false
|
||||
debug = false
|
||||
keyFile string
|
||||
tokenFile string
|
||||
tokenIssuer string
|
||||
tokenPeerID = uuid.New()
|
||||
keySize = 2048
|
||||
|
|
@ -28,12 +30,17 @@ func init() {
|
|||
&createTokenCmd, "create-token", createTokenCmd,
|
||||
"Create a new signed authentication token",
|
||||
)
|
||||
flag.BoolVar(
|
||||
&verifyTokenCmd, "verify-token", verifyTokenCmd,
|
||||
"Verify a token generated with the given key",
|
||||
)
|
||||
flag.BoolVar(
|
||||
&getPublicKeyCmd, "get-public-key", getPublicKeyCmd,
|
||||
"Get the PEM encoded public key associated with the private key",
|
||||
)
|
||||
flag.BoolVar(&debug, "debug", debug, "Debug mode")
|
||||
flag.StringVar(&keyFile, "key", keyFile, "Path to the encrypted PEM encoded key")
|
||||
flag.StringVar(&tokenFile, "token", tokenFile, "Path to the token to verify")
|
||||
flag.StringVar(&tokenIssuer, "token-issuer", tokenIssuer, "Token issuer")
|
||||
flag.StringVar(&tokenPeerID, "token-peer-id", tokenPeerID, "Token peer ID")
|
||||
flag.IntVar(&keySize, "key-size", keySize, "Size of the private key")
|
||||
|
|
@ -48,6 +55,8 @@ func main() {
|
|||
getPublicKey()
|
||||
case createTokenCmd:
|
||||
createToken()
|
||||
case verifyTokenCmd:
|
||||
verifyToken()
|
||||
default:
|
||||
flag.Usage()
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,10 +2,7 @@ package main
|
|||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
|
|
@ -47,25 +44,6 @@ func askPassphrase() ([]byte, error) {
|
|||
return passphrase, nil
|
||||
}
|
||||
|
||||
func privateKeyToEncryptedPEM(key *rsa.PrivateKey, passphrase []byte) ([]byte, error) {
|
||||
if passphrase == nil {
|
||||
return nil, errors.New("passphrase cannot be empty")
|
||||
}
|
||||
|
||||
// Convert it to pem
|
||||
block := &pem.Block{
|
||||
Type: "RSA PRIVATE KEY",
|
||||
Bytes: x509.MarshalPKCS1PrivateKey(key),
|
||||
}
|
||||
|
||||
block, err := x509.EncryptPEMBlock(rand.Reader, block.Type, block.Bytes, passphrase, x509.PEMCipherAES256)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
return pem.EncodeToMemory(block), nil
|
||||
}
|
||||
|
||||
func loadPrivateKey() (*rsa.PrivateKey, error) {
|
||||
if keyFile == "" {
|
||||
return nil, errors.New("you must specify a key file to load")
|
||||
|
|
@ -85,6 +63,19 @@ func loadPrivateKey() (*rsa.PrivateKey, error) {
|
|||
return privateKey, nil
|
||||
}
|
||||
|
||||
func loadToken() ([]byte, error) {
|
||||
if tokenFile == "" {
|
||||
return nil, errors.New("you must specify a token file to load")
|
||||
}
|
||||
|
||||
token, err := os.ReadFile(tokenFile)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
return token, nil
|
||||
}
|
||||
|
||||
func handleError(err error) {
|
||||
if !debug {
|
||||
fmt.Printf("%+v\n", errors.WithStack(err))
|
||||
|
|
|
|||
|
|
@ -0,0 +1,55 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
|
||||
peering "forge.cadoles.com/Cadoles/go-http-peering"
|
||||
"github.com/dgrijalva/jwt-go"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
func verifyToken() {
|
||||
rawToken, err := loadToken()
|
||||
if err != nil {
|
||||
handleError(errors.WithStack(err))
|
||||
}
|
||||
|
||||
privateKey, err := loadPrivateKey()
|
||||
if err != nil {
|
||||
handleError(errors.WithStack(err))
|
||||
}
|
||||
|
||||
fn := func(token *jwt.Token) (interface{}, error) {
|
||||
return &privateKey.PublicKey, nil
|
||||
}
|
||||
|
||||
token, err := jwt.ParseWithClaims(string(rawToken), &peering.ServerTokenClaims{}, fn)
|
||||
if err != nil {
|
||||
validationError, ok := err.(*jwt.ValidationError)
|
||||
if ok {
|
||||
handleError(errors.WithStack(validationError.Inner))
|
||||
}
|
||||
|
||||
handleError(errors.WithStack(err))
|
||||
}
|
||||
|
||||
if !token.Valid {
|
||||
handleError(errors.New("token is invalid"))
|
||||
}
|
||||
|
||||
claims, ok := token.Claims.(*peering.ServerTokenClaims)
|
||||
if !ok {
|
||||
handleError(errors.New("unexpected token claims"))
|
||||
}
|
||||
|
||||
data, err := json.MarshalIndent(claims, "", " ")
|
||||
if err != nil {
|
||||
handleError(errors.WithStack(err))
|
||||
}
|
||||
|
||||
fmt.Println("Token OK.")
|
||||
fmt.Println("Claims:")
|
||||
fmt.Println(string(data))
|
||||
|
||||
}
|
||||
|
|
@ -51,7 +51,7 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
|
|||
|
||||
serverClaims, err := assertServerToken(key, serverToken)
|
||||
if err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", err)
|
||||
sendError(w, http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
|
@ -64,13 +64,13 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
|
|||
options.IgnoredClientTokenErrors...,
|
||||
)
|
||||
if err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", err)
|
||||
switch err {
|
||||
case peering.ErrPeerNotFound:
|
||||
sendError(w, http.StatusUnauthorized)
|
||||
case ErrNotPeered:
|
||||
if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", err)
|
||||
sendError(w, http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
|
@ -78,7 +78,7 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
|
|||
return
|
||||
case ErrPeerRejected:
|
||||
if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", err)
|
||||
sendError(w, http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
|
@ -92,19 +92,19 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
|
|||
|
||||
match, body, err := assertBodySum(r.Body, clientClaims.BodySum)
|
||||
if err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", err)
|
||||
sendError(w, http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
if !match {
|
||||
logger.Printf("[ERROR] %s", ErrInvalidChecksum)
|
||||
logger.Printf("[ERROR] %+v", ErrInvalidChecksum)
|
||||
sendError(w, http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
|
||||
logger.Printf("[ERROR] %s", err)
|
||||
logger.Printf("[ERROR] %+v", err)
|
||||
sendError(w, http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue